|
Andreas Schiffler wrote:
>
> In an LVS/DR environment, should I get a certificate for the VIP only or one
> for each real server or one for all machines in the cluster.
(warning: I haven't set up a certifacted https LVS, just an https LVS,
so I haven't done this below.)
If you are appearing to be only one site (https://foo.bar.com) then you
need _one_ certificate in the name of the site (foo.bar.com) which you
put on all the real-servers (read the https section in the HOWTO - the
important part for https is to get the names right and to ignore the VIPs).
For any session the client is being connected to a real-server and the client
has no knowledge of any other machines in the LVS. The real-server then must
be configured as if it were https://foo.bar.com
> The client
> browser/application will only access URLs with the VIPs hostname, but the
> actual traffic will come from the real servers - according to verisign
> (http://www.verisign.com/rsc/wp/certshare/index.html), a load balancing setup
> requires seperate certificates for each real server (www1., www2, ....) but
> what about a certificate for the director (www.).
The director is just a router. It doesn't have anything listening
on port 443. It doesn't need a certificate.
Neither the client nor the real-servers can tell that the directory exists.
The client thinks it is directly connected to the real-server.
Now if you have lots of https sites needing certificates, then
a thread on this list recently has described how to get around needing
large numbers of certificates. I don't understand how it works. Someone
has asked for example config files, but I haven't seen them yet.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
